The cost of cyber breaches has increased three-fold in the past year, according to the latest annual Cyber Security...
Breaches Survey published by the Department for Business, Innovation and Skills (BIS).
The average cost of the worst breaches for small businesses was £50,000, while for large businesses this was £650,000, with some of the larger breaches costing more than £1m, according to the survey launched at Infosecurity Europe 2013 in London.
Business disruption was the biggest contributor to the cost, with companies taking longer to fix problems, restore systems and investigate breaches, said Chris Potter, partner at PricewaterhouseCoopers (PwC).
“Where companies had contingency plans in place, the cost of breaches is typically lower, but we saw that, while most companies are well prepared for viruses, for example, they are not well prepared for computer fraud,” Potter told Computer Weekly.
The research showed increases in reputational impact from adverse media coverage. Although it is difficult to put a number on reputational damage, PwC – which carried out the research in conjunction with Infosecurity Europe – measured it in terms of likely revenue impact, said Potter.
Another big trend was a significant increase in outsider attacks, with the average large business coming under attack ever few days, but some are under attack all the time, said Potter.
Some 78% of large organisations were attacked by an unauthorised outsider, up from 73% a year ago; and 63% of small businesses, up from 41%.
The jump in attacks on small business was even more significant, with nearly two-thirds of small businesses coming under significant attack once every six weeks, on average.
The research shows that 87% of small businesses across all sectors experienced a breach in the past year, an increase of more than 10%.
The costs of these attacks amounted to up to 6% of turnover, but small businesses could protect themselves for far less, the report said.
This report comes as the Technology Strategy Board extends its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise.
BIS is also publishing guidance to help small businesses put cyber security higher up the agenda and make it part of their normal business risk management procedures.
Science and universities minister David Willetts said companies are more at risk than ever of having their cyber security compromised, in particular small businesses.
“No sector is immune from attack, but there are simple steps that can be taken to prevent most incidents,” Willetts said.
“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race,” said Willetts.
The survey also showed that the median number of breaches suffered was 113 for a large organisation, up from 71 in 2012 and 17 for a small business, up from 11 in 2012.
This means that affected companies experienced roughly 50% more breaches than on average a year ago, with 93% of large organisations reporting breaches in the past year.
The proportion of organisations reporting successful breaches also increased in the past year to 20% of large organsations, up from 15% and 15% of smaller businesses, double that of 2012.
“These statistics are frightening if you think of how much data is shared between organisations, and there a one in five chance that someone is looking at data being shared,” said Potter.
Some 14% of large organisations reported they had lost IP, up from 12%; while 9% of SMEs reported IP theft, double the 2012 figure.
SMEs reported that in the past year, 57% of breaches were linked to insiders, which is the highest figure to date and up from 45% in 2012. In large organisations, 84% of breaches were connected with insiders.
Potter said about a third of the worst breaches were caused at least in part by staff error. In 50% of cases organisations invested in security awareness training for staff, he said.
“This suggests that most organisations are not focused enough on proactive security awareness training,” he said.
The research showed that there tended to be a higher incidence of staff-related breaches where they reported a poor understanding of company security policy.
“Email misuse, accidental data loss, deliberate theft and data protection breaches tended to be lower where understanding of security policies was good,” said Potter.
Despite all the talk of advanced persistent threats (APTs) in recent years, he said there were relatively few breaches related to this type of attack or from common viruses.
“However, there were significant problems caused by worms such as Conficker, for which security patches have been available for years,” said Potter.
This suggests that adoption of anti-virus technologies is good, but patch management is an area that many organisations should be focusing on, he said.
Some 81% of respondents reported that their senior management place a high or very high priority on security, however many businesses leaders have not been able to translate expenditure in to effective security defences.
“The main reasons for this is that organisations are not doing proper risk assessments and engaging with the board around risk, and they are not educating staff to explain risk,” said Potter.
Only 12% of the worst security breaches were partly caused by senior management giving insufficient priority to security.
On the positive side, companies are investing more in security, with security getting around 10% of the IT budget, on average.
Most companies expect to spend at least the same on security in the coming year as they did in the past year, said Potter.
According to government intelligence agency GCHQ, it is estimated that 80% or more of currently successful attacks can be prevented by simple best practice.
This could be steps as straightforward as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted, the report said.